AI Evasion and Impersonation Attacks on Facial Re-Identification with Activation Map Explanations

TL;DR

This paper presents a fast, effective adversarial patch generation method for facial re-identification systems, demonstrating significant attack success and interpretability insights, highlighting vulnerabilities in current surveillance models.

Contribution

Introduces a single-pass neural network framework for generating adversarial patches for facial re-identification, with enhanced realism and cross-model effectiveness, and offers interpretability via activation map clustering.

Findings

Reduces mean Average Precision from 90% to 0.4% in white-box attacks

Achieves 27% success rate in targeted impersonation on CelebA-HQ

Demonstrates strong cross-model generalization of attacks

Abstract

Facial identification systems are increasingly deployed in surveillance and yet their vulnerability to adversarial evasion and impersonation attacks pose a critical risk. This paper introduces a novel framework for generating adversarial patches capable of both evasion and impersonation attacks against deep re-identification models across non-overlapping cameras. Unlike prior approaches that require iterative patch optimisation for each target, our method employs a conditional encoder-decoder network to synthesize adversarial patches in a single forward pass, guided by multi-scale features from source and target images. The patches are optimised with a dual adversarial objective comprising of pull and push terms. To enhance imperceptibility and aid physical deployment, we further integrate naturalistic patch generation using pre-trained latent diffusion models. Experiments on standard pedestrian (Market-1501, DukeMTMCreID) and facial recognition benchmarks (CelebA-HQ, PubFig) datasets demonstrate the effectiveness of the proposed method. Our adversarial evasion attacks reduce mean Average Precision from 90% to 0.4% in white-box settings and from 72% to 0.4% in black-box settings, showing strong cross-model generalization. In targeted impersonation attacks, our framework achieves a success rate of 27% on CelebA-HQ, competing with other patch-based methods. We go further to use clustering of activation maps to interpret which features are most used by adversarial attacks and propose a pathway for future countermeasures. The results highlight the practicality of adversarial patch attacks on retrieval-based systems and underline the urgent need for robust defense strategies.